Chinese Cybersecurity Law Compared to EU-NIS-Directive and German IT-Security Act

When cyber security not only protects interests of the masses but ultimately also safeguards national sovereignty

In order to effectively address the challenges of attacks on IT systems, cybersecurity measures have been intensified internationally in the latest years. Germany, the EU and China have launched significant legislative initiatives in the last two years. However, the approach and the coverage of the regulations differ considerably in some areas.

I. Germany: IT Security Act

The German IT security law intends primarily to effectively deal with attacks on the critical infrastructures. According to this law, which entered in force mid 2015, critical infrastructures can be companies and institutions, both private and public, in different industries, such as in banking, in water and energy supply and also in media section.[1] They fall under the compulsory registration. These companies and institutions must periodically verify their specially secured relevant systems and processes by certificates. They must also categorize and report any external attacks. To be specific for example, the operators of the telemedia industry are required by law to implement the suitable state-of-the-art IT security basics . Furthermore, the technology institutions must be safeguarded against violations of personal data protection, e.g. by implementing encryption methods recognized as secure . Anyone who breaches of these duties, risks a fine.

The Federal Office for Information Security[2] is the authoritative institution of the entire procedure and the central registration office for IT attacks.

II. Directive on Security of Network and Information Systems

The EU NIS-Directive introduces measures to ensure a high common level of security of network and information systems in the Union and follows a similar approach like the German IT Security Act. The EU NIS-Directive entered into force on 8 August 2016 and is to be transposed by all Member States into national law by May 2018. It traces back to a European Commission policy paper that had been adopted on 7 February 2013 in the framework of the EU cyber security strategy, and should help to improve the resilience of IT systems, to fight cybercrimes and to strengthen the EU cyber defense.[3] ...